SYSTEM AND TECHNOLOGY
Vero’s online screening platform has been developed for the specific purpose of capturing candidate data and reporting screening results to our Clients. Vero are acutely aware of the value of this data and therefore data security is of the highest priority within our organisation. We have deployed a defence in depth approach to security, utilising a combination of people, process and various technological controls to help mitigate against data loss and maintain the three principles of the data security triad: Confidentiality, Integrity and Availability. Our commitment to the security of candidate data is highlighted by our ISO 27001 and Cyber Essentials accreditations.
TECHNOLOGY SUPPORT STAFF
Vero have experienced and security qualified staff responsible for our Information Security program, along with ensuring members of the development and infrastructure teams are regularly trained and employ security principles throughout their work. All technology support staff are in house, UK based full time employees.
Part of the Vero offering are secure encrypted portals for Clients and Candidates to process and communicate through. Vero strongly encourage the use of these portals and actively discourage transfer of any sensitive data through email channels. In the event of a specific requirement for sensitive information to be transmitted via email, Vero strongly recommend the use of encryption technology with encryption keys communicated via a non-email channel.
All Vero data is processed in the Microsoft Azure Cloud (data centres in Amsterdam and UK South) with a tertiary location on premise in the Vero headquarters server room (Brighton, UK). No data leaves the European Economic Area during the transmission between Vero and the Cloud environment.
To ensure the disclosure of personal data is strictly controlled, secure encryption measures are in place for the transportation, transmission, storage and communication of data.
SYSTEM ACCESS CONTROLS
All screens and computers are locked when not attended and access to the system is by username and encrypted password. Optional features can be turned on at Client request as follows:
- IP whitelisting to ensure system access by Client accounts only comes from approved IP addresses
- Two factor authentication which helps to mitigate against compromised passwords
DATA ACCESS CONTROLS
The processing of data is restricted to job role. Only certain personnel are able to view / copy / delete / modify data.
All actions within the system are audited with date, time and employee identification, to ensure traceability of actions.
To ensure data collected for different purposes is processed separately, production and test servers sit within separate environments. All Client data is stored within the same database separated by global unique identifiers controlled by software at user access level. No customer data is used in any development, testing or staging environments.
To protect against accidental data destruction or loss, Vero’s primary database server is mirrored within our data centres. Appropriate anti-virus / firewall systems are in place.
Employees have restricted access to websites via gateway content filtering. Automatic controls are in place to block groups of websites in addition to any further websites under the guidance of the CTO.
File-sharing is restricted at the gateway and by data leak prevention technology. Software scans files in transit and blocks or raises alerts in line with our Data Leak Scanning Procedure.
Vero Screening platforms, IT Infrastructure and mobile app are regularly tested as part of an annual Penetration test cycle.
VULNERABILITY AND PATCH MANAGEMENT
Vero have robust and mature procedures for regular testing and remediation of vulnerabilities to Vero technology estate, along with procedures to ensure timely deployment of vendor released.
Each Client is responsible for ascertaining and communicating to their Candidates the lawful basis for their employment screening. Separately Vero obtain consent from each Candidate. This consent facilitates the release of required information from third party organisations such as schools, previous employers, government bodies etc.
SUBJECT ACCESS REQUEST
All data subjects have rights in respect to their personal information as compiled during the screening process. Candidates are required to direct any such Data Subject Rights requests to the Client (Data Controller).
DESTRUCTION OF DATA
Vero operate a predominantly paperless screening model. Electronic records are destroyed in accordance with the agreed retention period chosen by the Client. Where hard copy paperwork is gathered during the screening process, destruction of these papers is managed by way of secure confidential waste bins and secure on-site shredding. The destruction of all confidential waste is carried out to BS15713:2009 security shredding standard by appropriately vetted members of staff.
DATA PROTECTION LEGISLATION
As a UK based company (acting as a Data Processor on behalf of our Clients) Vero are compliant with the General Data Protection Regulation and UK Data Protection legislation. Vero observe strict technical and organisational measures to safeguard the secure collection, processing, use and storage of Candidates’ personal data, in line with relevant legislation.
DATA PROTECTION OFFICER
Vero’s Data Protection Officer is responsible for all data protection related issues and notifications, including data breach notifications.
DATA PROTECTION TRAINING
All Vero employees complete a data protection training course on their first day of employment and annually thereafter. All employees are contractually obliged to observe strict criteria in relation to the handling of confidential information.
DATA PROTECTION AUTHORITY
Vero are registered with the Information Commissioner Office. Registration Number: Z9379763.
DATA TRANSFERS AND SUPPLIER MANAGEMENT
Where Vero are unable to complete an element of the screening directly we may engage our trusted network of third party service providers to enable checks to be completed in jurisdictions outside of the UK or in areas outside of our expertise. Vero recognise there are a large number of countries that do not have the same standard of data protection afforded in most EU States. For this reason we have a strict ‘Supplier Management Policy’ which includes the screening of all new suppliers, annual security questionnaires and reviews and the use of formal processing agreements. Our processing agreements include terms dictating:
- Suppliers are solely permitted to process the data for employment screening purposes;
- Suppliers can only retain personal data for a maximum period of 90 days (unless restricted by law);
- Notification of any suspected or actual data breach that compromises personal data;
- Data transfer provision for suppliers outside the EEA;
- The supplier shall take all appropriate technical and security measures to safeguard personal data.
For any queries regarding the handling of personal data at Vero, please contact our Data Protection Officer who will be happy to assist: +44 (0)1273 840 800 or firstname.lastname@example.org